How to authenticate SSH servers with SSHFP

Securely connecting to your server One of SSH’s key features is the use of keys to identify the server you are connecting to, meaning that you can be certain you are connecting to the correct server and not another server pretending to be that one. Unfortunately, users who connect to many servers can be accustomed to seeing the warning message that a server’s key is unknown. SSHFP presents a potential solution to this problem....

November 20, 2022 · 3 min · soup

Securing OpenSSH keys with hardware-based authentication (FIDO2)

Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce attacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....

April 9, 2022 · 4 min · Wonderfall

sshd_config

Based on the one used by Grapheneos on their sites. Source: github.com/grapheneos/infrastructure # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented....

November 18, 2022 · 2 min · soup